Implement allowing local LAN access

On Android local networks need to be excluded from the default (or any other route) route if they should bypass the VPN. This adds a callback to specifically bypass the local LAN networks.
2024-09-19 19:52:15 +02:00 · 2018-07-16 16:05:35 +02:00 · 2018-07-16 16:05:35 +02:00 · 0a0d080a49
commit 0a0d080a49
parent 2105b4b7c0
6 changed files with 42 additions and 2 deletions
--- a/client/ovpncli.cpp
+++ b/client/ovpncli.cpp
@ -435,6 +435,7 @@ namespace openvpn {
 	std::string tls_version_min_override;
 	std::string tls_cert_profile_override;
 	std::string gui_version;
+	bool allow_local_lan_access;
 	ProtoContextOptions::Ptr proto_context_options;
 	PeerInfo::Set::Ptr extra_peer_info;
 	HTTPProxyTransport::Options::Ptr http_proxy_options;
@ -684,6 +685,7 @@ namespace openvpn {
 	state->force_aes_cbc_ciphersuites = config.forceAesCbcCiphersuites;
 	state->tls_version_min_override = config.tlsVersionMinOverride;
 	state->tls_cert_profile_override = config.tlsCertProfileOverride;
+	state->allow_local_lan_access = config.allowLocalLanAccess;
 	state->gui_version = config.guiVersion;
 	state->alt_proxy = config.altProxy;
 	state->dco = config.dco;
@ -959,6 +961,7 @@ namespace openvpn {
      cc.gui_version = state->gui_version;
      cc.extra_peer_info = state->extra_peer_info;
      cc.stop = state->async_stop_local();
+      cc.allow_local_lan_access = state->allow_local_lan_access;
 #ifdef OPENVPN_GREMLIN
      cc.gremlin_config = state->gremlin_config;
 #endif
--- a/client/ovpncli.hpp
+++ b/client/ovpncli.hpp
@ -282,6 +282,10 @@ namespace openvpn {
      // pass through control channel INFO notifications via "INFO" event
      bool info = false;

+      // Allow access to local LAN. This is for platforms like
+      // Android that disable local LAN access by default.
+      bool allowLocalLanAccess = false;
+
      // Periodic convenience clock tick in milliseconds.
      // Will call clock_tick() at a frequency defined by this parameter.
      // Set to 0 to disable.
--- a/javacli/ovpncli.i
+++ b/javacli/ovpncli.i
@ -44,6 +44,7 @@
 namespace std {
  %template(ClientAPI_ServerEntryVector) vector<openvpn::ClientAPI::ServerEntry>;
  %template(ClientAPI_LLVector) vector<long long>;
+  %template(ClientAPI_StringVec) vector<string>;
 };

 // interface to be bridged between C++ and target language
--- a/openvpn/client/cliopt.hpp
+++ b/openvpn/client/cliopt.hpp
@ -143,6 +143,7 @@ namespace openvpn {
      bool force_aes_cbc_ciphersuites = false;
      bool autologin_sessions = false;
      bool retry_on_auth_failed = false;
+      bool allow_local_lan_access = false;
      std::string tls_version_min_override;
      std::string tls_cert_profile_override;
      PeerInfo::Set::Ptr extra_peer_info;
@ -347,6 +348,7 @@ namespace openvpn {
 	    tunconf->builder = config.builder;
 	    tunconf->tun_prop.session_name = session_name;
 	    tunconf->tun_prop.google_dns_fallback = config.google_dns_fallback;
+	    tunconf->tun_prop.allow_local_lan_access = config.allow_local_lan_access;
 	    if (tun_mtu)
 	      tunconf->tun_prop.mtu = tun_mtu;
 	    tunconf->frame = frame;
--- a/openvpn/tun/builder/base.hpp
+++ b/openvpn/tun/builder/base.hpp
@ -228,6 +228,15 @@ namespace openvpn {
      return true;
    }

+    // When the exclude local network option is enabled this
+    // function is called to get a list of local networks so routes
+    // to exclude them from the VPN network are generated
+    // This should be a list of CIDR networks (e.g. 192.168.0.0/24)
+    virtual const std::vector<std::string> tun_builder_get_local_networks(bool ipv6)
+    {
+      return {};
+    }
+
    // Indicates a reconnection with persisted tun state.
    virtual void tun_builder_establish_lite()
    {
--- a/openvpn/tun/client/tunprop.hpp
+++ b/openvpn/tun/client/tunprop.hpp
@ -63,6 +63,7 @@ namespace openvpn {
      std::string session_name;
      int mtu = 0;
      bool google_dns_fallback = false;
+      bool allow_local_lan_access = false;
      Layer layer{Layer::OSI_LAYER_3};

      // If remote_bypass is true, obtain cached remote IPs from
@ -126,7 +127,28 @@ namespace openvpn {
 	add_remote_bypass_routes(tb, *config.remote_list, server_addr, eer.get(), quiet);

      // add routes
-      add_routes(tb, opt, server_addr, ipv, eer.get(), quiet);
+      if (config.allow_local_lan_access)
+	{
+	  // query local lan exclude routes and then
+	  // copy option list to construct a copy with the excluded routes as route options
+	  OptionList excludedRoutesOptions = opt;
+	  for (const std::string& exRoute: tb->tun_builder_get_local_networks(false))
+	    {
+	      excludedRoutesOptions.add_item(Option{"route", exRoute, "", "net_gateway"});
+	    }
+
+	  for (const std::string& exRoute:  tb->tun_builder_get_local_networks(true))
+	    {
+	      excludedRoutesOptions.add_item(Option{"route-ipv6", exRoute, "", "net_gateway"});
+	    }
+
+	  add_routes(tb, excludedRoutesOptions, ipv, eer.get(), quiet);
+	}
+      else
+	{
+	  add_routes(tb, opt, ipv, eer.get(), quiet);
+	}
+

      if (eer)
 	{
@ -377,7 +399,6 @@ namespace openvpn {

    static void add_routes(TunBuilderBase* tb,
 			   const OptionList& opt,
-			   const IP::Addr& server_addr,
 			   const IPVerFlags& ipv,
 			   EmulateExcludeRoute* eer,
 			   const bool quiet)